Doug Reilly's Weblog

Embedded Reporting of the Information Age...

WS-Security, et al, vs. Plain Old Web Services with SSL

I have been looking into doing some WSE development (WS Security specifically interested me).  In looking carefully at the issues involved (including the issue Scott mentions here), I am wondering whether a move to WS-Security and the rest will buy me anything over and above using Web Services over https?  The amount of data transferred using the Web Service in question is relatively small, and the SSL overhead has never been an issue.  I currently own the code on both ends of the Web Service request.

Has anyone done any serious study of this? 

UPDATE: Apparently, they have done a lot of study on this.  For instance, here.

Posted: Sep 23 2004, 11:45 AM by douglas.reilly | with 6 comment(s)
Filed under: ,

Comments

John Bristowe said:

WS-Security ensures quality of protection mechanisms through industry standards like XML Encryption and XML Signature to provide message-level security. Coupled with WS-SecureConversation, the advantage WS-Security has over SSL/TLS over HTTP is twofold: (1) it is transport-agnostic and (2) it provides security mechanisms that operate in end-to-end scenarios (across trust boundaries) as opposed to point-to-point scenarios (i.e. SSL/TLS).

Some blogs that I'd recommend include the following:

Benjamin Mitchell
http://www.benjaminm.net/

Hervey Wilson
http://www.dynamic-cast.com/

Michele Leroux Bustamente
http://www.dasblonde.com/
# September 23, 2004 12:19 PM

TrackBack said:

Looking to choose between SSL and WS-Security to secure your web service calls? This blog describes some of the advantages that WS-Security provides.
# September 23, 2004 5:21 PM

Julie Lerman said:

awww shucks they beat me to it. I definitely wanted to point out the end to end security that you don't get with ssl and also if you are doing simple stuff, with WSE2 you can just basically set up the rules of what you want to happen (with ws-policy) and reduce your coding dramatically. If you are doing super duper basic stuff, a few clicks in the wse2 config tool does it all for you.
# September 23, 2004 6:58 PM

Douglas Reilly said:

Lots to think about. Thanks for pointing it out! I will continue plugging away at WSE then, I guess...
# September 23, 2004 7:59 PM

Julie Lerman said:

p.s. if you got the teched cd - there's a great presentation on there by Benjamin. He really does write extensive and great posts on WSE2. Also check Code Magazine (april?) for an article by Michele. There are of course many great resources now - I'm sure you've been finding them.
# September 23, 2004 11:06 PM

TrackBack said:

Looking to choose between SSL and WS-Security to secure your web service calls? This blog describes some of the advantages that WS-Security provides.
# September 29, 2004 11:38 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)